LinuxCommandLibrary

age

Encrypt and decrypt files using public keys

TLDR

Generate an encrypted file that can be decrypted with a passphrase

$ age [[-p|--passphrase]] [[-o|--output]] [path/to/encrypted_file] [path/to/unencrypted_file]
copy

Encrypt a file with one or more public keys entered as literals (repeat the --recipient flag to specify multiple public keys)
$ age [[-r|--recipient]] [public_key] [[-o|--output]] [path/to/encrypted_file] [path/to/unencrypted_file]
copy

Encrypt a file to one or more recipients with their public keys specified in a file (one per line)
$ age [[-R|--recipients-file]] [path/to/recipients_file] [[-o|--output]] [path/to/encrypted_file] [path/to/unencrypted_file]
copy

Decrypt a file with a passphrase
$ age [[-d|--decrypt]] [[-o|--output]] [path/to/decrypted_file] [path/to/encrypted_file]
copy

Decrypt a file with a private key file
$ age [[-d|--decrypt]] [[-i|--identity]] [path/to/private_key_file] [[-o|--output]] [path/to/decrypted_file] [path/to/encrypted_file]
copy

SYNOPSIS

age [-a] [-o output] [-r pubkey...] [-R file] [-i identity] [-p] [-E var] [-U uid] [-G gid] [file...]
age -d [-o output] [-i identity...] [file...]

PARAMETERS

-a, --armor
    Armor output with ASCII encoding.

-o, --output FILE
    Write output to FILE instead of stdout.

-r, --recipient PUBKEY
    Encrypt for public key PUBKEY (repeatable).

-R, --recipients-file FILE
    File with public keys, one per line.

-i, --identity FILE
    Identity file for decryption (repeatable).

-p, --passphrase
    Interactive passphrase encryption/decryption.

-E, --env VAR
    Use $VAR content as recipient (repeatable).

-U, --uid UID
    Set owner UID on output (Unix only).

-G, --gid GID
    Set owner GID on output (Unix only).

-d, --decrypt
    Decrypt input (stdin if no files).

--decrypt-file FILE
    Decrypt FILE to stdout.

DESCRIPTION

age is a straightforward, modern encryption tool designed for simplicity and security, avoiding the complexity of tools like PGP. It supports public-key encryption with recipients' public keys, passphrase encryption, and SSH key compatibility. Files are encrypted to age-encrypted files, which are compact and streamable.

Encryption produces armored or binary output, with metadata including the encryption scheme (e.g., X25519-XSalsa20-Poly1305). Decryption automatically detects and uses stanzas for recipients or passphrases. It excels in usability for scripts, backups, and secrets management, outperforming GPG in ease-of-use for common tasks.

Key features include recipient files for multi-user encryption, environment variable recipients, Unix uid/gid metadata preservation, and support for multiple identities. It's written in Go, portable across platforms, and audited for security. Ideal for encrypting files before cloud storage or sharing securely without key exchange hassles.

CAVEATS

Does not support signing or multi-recipient decryption with passphrases simultaneously. Not suitable for interactive use without TTY. Large files may require streaming support.

KEY GENERATION

Use age-keygen to generate keypairs: age-keygen -o key.txt outputs public and secret keys.

SSH COMPATIBILITY

Supports SSH public keys directly: age -r "age1..." or from ~/.ssh/id_ed25519.pub.

HISTORY

Developed by Filippo Valsorda in 2019 as part of the age project to simplify encryption. First stable release in 2020 (v1.0). Focuses on modern crypto primitives like X25519; actively maintained with audits.

SEE ALSO

gpg(1), openssl(1), age-keygen(1)

Copied to clipboard